# Configure bastion host integration
Once IAM management is configured, you can enable secure SSH access to VMs in your Azure environment. This requires two parts:
* Bastion host configuration under the Azure integration (this page)
* [SSH access setup](/integrations/resource-integrations/microsoft-azure/install-ssh-access.md) under Integrations → SSH
{% hint style="warning" %}
Complete [IAM management](/integrations/resource-integrations/microsoft-azure/iam-management.md) before starting this step. The Bastion host configuration depends on the IAM permissions set up in the previous step.
{% endhint %}
## Prerequisites
Before setting up this integration, you must have an Azure Bastion host already deployed in your Azure environment. P0 does not create the Bastion host for you — it connects to an existing one.
If you have not yet deployed a Bastion host, see [Microsoft's Bastion deployment guide](https://learn.microsoft.com/en-us/azure/bastion/tutorial-create-host-portal) to create one first.
Your existing Bastion host must meet the following requirements.
| Requirement | Details |
| ---------------- | ------------------------------------------------------------------------------------------------------ |
| SKU type | Must be **Standard** or **Premium** (Basic SKU is not supported because it does not support tunneling) |
| Tunneling | Must be **enabled** in the Bastion host configuration |
| IP configuration | Must have at least one IP configuration |
| Subnet | Must have an IP configuration with the **AzureBastionSubnet** subnet |
{% hint style="info" %}
If any of these requirements are not met, P0 displays a specific error message during setup indicating which requirement failed. Update your Bastion host configuration in the Azure Portal and retry.
{% endhint %}
## How subscription Bastion hosts work
P0 installs Bastion host configuration **per subscription**. Each subscription that needs SSH access must have a Bastion host component configured. P0 supports two configuration modes:
| Mode | Description | When to use |
| ----------------------------- | --------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------- |
| **Single Bastion host** | Points directly to a Bastion host resource in the subscription | The subscription has its own Bastion host deployed |
| **Subscription Bastion host** | References another subscription that already has a single Bastion host configured | Multiple subscriptions share a single Bastion host deployed in a different subscription |
**Single Bastion host** is the default mode. Select this when your subscription contains its own Bastion host. You provide the Bastion host's Azure resource ID, and P0 validates it against the requirements listed above.
**Subscription Bastion host** allows you to reuse a Bastion host from another subscription. When you select this mode, P0 shows a dropdown of subscriptions that already have a single Bastion host configured. The selected subscription's Bastion host is used for SSH sessions in the current subscription.
{% hint style="info" %}
A subscription Bastion host can only reference a subscription with a **single** Bastion host. Chaining references (a subscription Bastion host pointing to another subscription Bastion host) is not supported.
{% endhint %}
## Permissions
During setup, P0 creates a custom Azure role scoped to the target subscription. This role grants P0 the minimum permissions needed to manage Bastion sessions.
**Role name:** `P0 Bastion Host Management - {subscriptionId}`
**Required permissions:**
| Permission | Purpose |
| ---------------------------------------------------------------- | ----------------------------------------------------------- |
| `Microsoft.Network/bastionHosts/read` | Read Bastion host configuration and status |
| `Microsoft.Network/bastionHosts/disconnectActiveSessions/action` | Disconnect active Bastion sessions during access revocation |
This role is assigned to the service principal created during [Azure app registration](/integrations/resource-integrations/microsoft-azure/azure-app-registration.md).
## Setup steps
1. In the **Azure** integration on [p0.app](https://p0.app), select **Bastion Host**.
2. Click **Add subscription**.
3. Select a subscription. Only subscriptions with [IAM management](/integrations/resource-integrations/microsoft-azure/iam-management.md) already installed appear in this list.
4. Run the Shell or Terraform steps to create the custom role and assign it to the P0 service principal.
{% tabs %}
{% tab title="Shell" %}
The shell commands:
1. Set the active subscription
2. Create the `P0 Bastion Host Management` custom role with the required permissions
3. Assign the role to the P0 service principal
{% endtab %}
{% tab title="Terraform" %}
The Terraform configuration:
1. Creates a `azurerm_role_definition` resource with the required permissions
2. Creates a `azurerm_role_assignment` resource assigning the role to the P0 service principal
{% endtab %}
{% endtabs %}
5. Select the Bastion host mode:
* **Single Bastion host** (default): Provide the Azure Bastion host resource ID. In the Azure Portal, go to the Bastions service, select your Bastion resource, and copy its Resource JSON to obtain the ID.
* **Subscription Bastion host**: Select from the dropdown of subscriptions that already have a single Bastion host configured.
{% hint style="info" %}
The Bastion host resource ID follows this format:
`/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupId}/providers/Microsoft.Network/bastionHosts/{bastionHostName}`
{% endhint %}
P0 validates the Bastion host against all requirements listed in the [Prerequisites](#prerequisites) section. If validation fails, you see a specific error message indicating which requirement was not met.
The Bastion host configuration is now complete.
## Troubleshooting
| Error | Cause | Resolution |
| --------------------------------------------------------------------------------------- | ------------------------------------------------------ | ----------------------------------------------------------------------- |
| "Azure bastion host must be of 'Standard' or 'Premium' type" | The Bastion host uses the Basic SKU | Upgrade the Bastion host to Standard or Premium SKU in the Azure Portal |
| "Azure bastion host must have tunneling enabled" | Tunneling is disabled on the Bastion host | Enable tunneling in the Bastion host configuration |
| "Azure bastion host must have at least one IP configuration" | The Bastion host has no IP configuration | Verify the Bastion host is configured correctly in the Azure Portal |
| "Azure bastion host must have an IP configuration with the 'AzureBastionSubnet' subnet" | The Bastion host is not attached to the correct subnet | Attach the Bastion host to a subnet named `AzureBastionSubnet` |
| "Custom role not found in subscription" | The shell or Terraform commands did not complete | Re-run the install commands from step 4 |
| "Custom role is not assigned to the App Client" | The role assignment was not created | Re-run the role assignment command from step 4 |
## Next step
Proceed to [Install SSH access control](/integrations/resource-integrations/microsoft-azure/install-ssh-access.md) to connect P0 to your Azure VMs.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.p0.dev/integrations/resource-integrations/microsoft-azure/configure-bastion-host-integration.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.